Instantly share code, notes, and snippets.

@j4n0 /Makefile Secret
Last active Oct 21, 2018

Embed
What would you like to do?
Securing Apache with client certificate authorisation
[ req ]
req_extensions = req_ext
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = Notes User
.DEFAULT_GOAL := hello
CA = ca
CA_NAME = Jano CA
SERVER = jano
SERVER_DOMAIN = jano.com.es
CLIENT = client
CLIENT_NAME = Notes user
SERVER_CONF = server.conf
CLIENT_CONF = client.conf
create: clean
# random password
cat /dev/random | base64 | head -c 32 > passphrase.txt
# create a private key
openssl genpkey -des3 -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out $(CA).key -pass file:passphrase.txt
# create a root CA certificate
openssl req -new -sha256 -subj "/C=ES/ST=Madrid/L=Madrid/O=Jano/OU=Org/CN=$(CA_NAME)" -x509 -days 3650 -key $(CA).key -out $(CA).crt -passin file:passphrase.txt
# create a private key and certificate request for the server
openssl req -newkey rsa:4096 -nodes -keyout $(SERVER).key -out $(SERVER).csr -subj "/C=ES/ST=Madrid/L=Madrid/O=Jano/OU=Org/CN=$(SERVER_DOMAIN)" -config $(SERVER_CONF)
# create a certificate for the server
openssl x509 -req -days 3650 -in $(SERVER).csr -CA $(CA).crt -CAkey $(CA).key -set_serial 01 -out $(SERVER).crt -passin file:passphrase.txt -extensions req_ext -extfile $(SERVER_CONF)
# create a private key and certificate request for the client
openssl req -newkey rsa:4096 -nodes -keyout $(CLIENT).key -out $(CLIENT).csr -subj "/C=ES/ST=Madrid/L=Madrid/O=Jano/OU=Org/CN=$(CLIENT_NAME)" -config $(CLIENT_CONF)
# create a certificate for the client
openssl x509 -req -days 3650 -in $(CLIENT).csr -CA $(CA).crt -CAkey $(CA).key -set_serial 02 -out $(CLIENT).crt -passin file:passphrase.txt -extensions req_ext -extfile $(CLIENT_CONF)
# copy to the remote server. Note that I copy as sudo because of permissions.
rsync -a --rsync-path="sudo rsync" $(CA).crt ubuntu@lightsail:/etc/apache2/client-certs/$(CA).crt
rsync -a --rsync-path="sudo rsync" $(SERVER).crt ubuntu@lightsail:/etc/apache2/client-certs/$(SERVER).crt
rsync -a --rsync-path="sudo rsync" $(SERVER).key ubuntu@lightsail:/etc/apache2/client-certs/$(SERVER).key
# restart Apache
ssh ubuntu@lightsail "sudo apachectl restart"
# Install the CA in the keychain. This will ask for the account password.
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain $(CA).crt
# Package the client certificate, private key, and CA certificate in a PFX container suitable to be imported in a browser.
openssl pkcs12 -export -out $(CLIENT).pfx -inkey $(CLIENT).key -in $(CLIENT).crt -certfile $(CA).crt -passout file:passphrase.txt
pbcopy < passphrase.txt
@echo The pfx password is in the clipboard.
open $(CLIENT).pfx
hello:
@echo Type \'make create\', or \'make clean\'.
clean:
rm -f $(CA).crt
rm -f $(CA).key
rm -f $(SERVER).key
rm -f $(SERVER).csr
rm -f $(SERVER).crt
rm -f $(CLIENT).key
rm -f $(CLIENT).csr
rm -f $(CLIENT).crt
rm -f $(CLIENT).pfx
[ req ]
req_extensions = req_ext
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = jano.com.es
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment